Verifying foreign accounts, how do you do it?

[MannDude]

I understand it is common practice in this industry to sometimes request additional information from a customer if their order is flagged for additional review or marked as fraud from Maxmind. I've seen providers request identifying information such as a scan of a government issued ID. When you can check and see that the ID looks real, and the information provided matches that on file for the account, generally that is acceptable verification and all is good. Perhaps in that case, the customer simply required additional review for placing the order from a VPN. Some places are stricter than others and may require even more information to match with the ID, it varies from company to company it seems.

Now, what about those where you are unable to read the provided verification documents sent in from the customer? For example, a Chinese order that is placed with suspicious details. If you're unable to read Chinese, it makes it difficult to determine the legitimacy of their verification information that they may provide. In that case, what do you consider proper verification for a suspicious order? Do you allow them to proceed?

This is something that doesn't seem to be documented much, and it'll be interesting to see what providers here do to ensure they're processing only legit orders.

 

[rds100]

I haven't seen any Chinese IDs but i am sure Chiness passports also have the information written in English / with latin letters.

By Bulgarian ID has everything repeated two times - once in Bulgarian with cyrillic letters and once in English with latin letters.

 

[drmike]

Well there is no easy way to conquer this problem.

If something is labeled/flagged you have to really know why.  If it is their VPN, high risk country status or something else.

People up to no good go far lengths to commit fraud.  So an ID is the least of their to-do list that probably was done.

Collecting such and doing arbitrary checks is meh.   I mean really, does your staff have training to recognize stuff and are they working from a process list.  Then you have the whole post-receiving details handling and proper storage liability.

Me, I'd stick to the outputs provided and determine the flagging reason.  If it is something believable like VPN, tell the customer to place another order not on their VPN.   Beyond something like that, I'd run an order failed fraud check and that's that no risk approach.  Call me fiscally conservative

 

[Kakashi]

It's difficult when it comes to foreign ID's. Usually it's a case of google image search and trying to compare what comes up and try your best to match the features. Usually what I've found though is that people who send through ID's are legit and troublemakers don't bother with it.

 

[Kayaba Akihiko]

From what I know fake IDs are extremely popular and easy to get, just not that cheap to get those holographic or whatever they are ones.

 

[24/7/365]

There's no foolproof way of doing it but we take the approach that it's better to let a customer go who's not willing to verify than to keep a customer who is potentially trouble. It's not worth your time.

I have a funny anecdote about one particular account we verified.

One time we had a customer buy some services with a an incomplete address so naturally this needed verified.

She supplied very well cropped, perfectly horizontal and quite posterised scans of government ID and proof of address so naturally this was a little suspect. We asked if she would be willing to take a picture of herself with her ID in one hand and today's newspaper in the other, with our URL written on the paper.

Much to our surprise, she went through with it. The picture was quite funny if you've ever been to 419eater.com. It looked like one of those pictures.

It also feels bad to ask good people to verify themselves.

 

[H4G]

MaxMind with Phone Verification -> Manual Verification -> Request for IDs, depending on size of order -> Manual Phone Call (if required)

 

[Kayaba Akihiko]

MaxMind with Phone Verification -> Manual Verification -> Request for IDs, depending on size of order -> Manual Phone Call (if required)

If this is seriously what you're gonna go through with every customer I don't think youre gonna have many

 

[eva2000]

To cut down fraud maybe should look into Visa's Verified by Visa and Mastercard's Secure Code programs ? They're very popular in Australia for merchanges/vendors/businesses and I am starting to see more usage in other countries. For example, internet.bs which I use for domain registrations uses Verified by Visa

http://visa.com.au/personal/security/onlineshopping.shtml

 

[BrianHarrison]

MaxMind with Phone Verification -> Manual Verification -> Request for IDs, depending on size of order -> Manual Phone Call (if required)

If this is seriously what you're gonna go through with every customer I don't think youre gonna have many

I agree with Kayaba Akihiko. Also, isn't MaxMind Phone Verification going away by the end of the year?

 

[Flapadar]

Most foreign ID's have the English equivalent on them. Russian ones might not - it's a bit of a pain!

 

[Xeepi]

I haven't seen any Chinese IDs but i am sure Chiness passports also have the information written in English / with latin letters.

By Bulgarian ID has everything repeated two times - once in Bulgarian with cyrillic letters and once in English with latin letters.

Not really, Chinese IDs are written in Chinese by default, the only identification has written English I could tell is visa.

So that's really hard to verify whether a Chinese order fraud or not if you cannot read Chinese, you could consider using SMS verification but that does not make too much sense, Chinese abusers are devastating.

 

[TurnkeyInternet]

Nothing beats the good old telephone call - nothing like a language barrier at 3 am when verifying someone, it is amazing how well you can understand swear words in a foreign language over the telephone.   (Did that once or twice many years ago).

Photo ID, front/back of something like a payment card, or utility bill are not uncommon now.

What I can't understand is the desire for people to risk getting in trouble for fraud, over something as low cost as a hosting service.  I understand some people will commit fraud, and commit crimes (for varying reasons, and needs to be met like feed their family they may steal a loaf of bread).  But I'll never understand why people risk going to jail over using a stolen credit card to buy a $5/mo shared hosting account.   That whole risk vs reward aspect seems crazy.   I've gone so far over the years to ask some that we catch for fraud why they would risk over such a small amount, and why with us.  Why not buy a $1,000 TV or something.

Anyway - back to the MannDude's question - based on a combination of metrics for fraud screening we will automate orders vs asking for photo ID, and front/back of a credit card (or utility bill) that matches the name/address they signed up with.  It at least scares off most the fraud people to move on to the low dangling fruit of the next victim host.  Not saying its a fool proof way to weed out fraudsters, but most wont bother to doctor up with photo shop and just move onto the 999,999 other hosting companies they could commit fraud with.

 

[Aldryic C'boas]

What I can't understand is the desire for people to risk getting in trouble for fraud, over something as low cost as a hosting service.  I understand some people will commit fraud, and commit crimes (for varying reasons, and needs to be met like feed their family they may steal a loaf of bread).  But I'll never understand why people risk going to jail over using a stolen credit card to buy a $5/mo shared hosting account.   That whole risk vs reward aspect seems crazy.   I've gone so far over the years to ask some that we catch for fraud why they would risk over such a small amount, and why with us.  Why not buy a $1,000 TV or something.

Most of the providers that would accept shady payments are the types that would eat the 5$ rather than report the fraud anyway - the last thing they want is an investigation and having their own dirty secrets float up.

 

[jamaica]

IMO, it's really impossible to verify foreign person. Even if he will send passport scan, because this scans costs around 10-20$.

And really, I dont care who are using my services, till it doesnt violate our ToS. Why should I think something bad about all my customers just because 0.1% of my customers are spamers?

 

[TurnkeyInternet]

IMO, it's really impossible to verify foreign person. Even if he will send passport scan, because this scans costs around 10-20$.

And really, I dont care who are using my services, till it doesnt violate our ToS. Why should I think something bad about all my customers just because 0.1% of my customers are spamers?

Everyone on earth has a picture capable smart phone - at least anyone ordering something online like web hosting.  There is no reason they can't take a photo and email the jpg to you - no need for A $20 scan.  We have had spammers and fraudsters try that one "it will take me 3 days to travel to nearest scanner, and cost money".  then we explain to use their smart phone (and even verify they signed up using a web browser that apparently is built into a smart-phone, so we know they have one!) and suddenly things change fast with the story  

its just one hurdle to help keep trouble off your network - it can't hurt, if a client has other ways to look legit you can obviously skip the heavy handed 'photo ID' option.  I've seen some companies using facebook now on their sign-up forms specifically for verifying people or businesses.

 

[Wild1145]

Normally a google for that type of ID is enough. If they are utterly stupid you can see they just used paint to put their name on it. Else its just about trying to see if looks somewhat like the examples you can find online...

 

[TierNet]

A phone verification on registered number is always ideal for verifying a client.. if the order is too suspicious, you can ask them to make a wire transfer.

 

[GigaboxHost]

Once we start asking for verfication, they usually never answer back. we ask for some off the wall verfication sometimes.

 

[PascM]

Once we start asking for verfication, they usually never answer back. we ask for some off the wall verfication sometimes.

I second that, but there are times where people really reply and they provide ...well listen to this, same ID different name (!)  :lol: